Drive-by Cyber Attack Behind Sewer Explosion

Last week’s cyberattack on the sewer system in Delano, GA was set up by an attack on a web site run by WWTP Support, LLC in California. That company supplies technical assistance and engineering support to wastewater treatment plants across the country. According to the National Critical Infrastructure Security Operations Center (CI-SOC), a tool available on that site provided attackers with a foothold on the computer of anyone that used the tool in the last three months. “We are working with the Federal Bureau of Inquiry and the owners of WWTP Support to try to identify who is responsible for the attack on that web site,” General Buck Turgidson, Director of CI-SOC, told reporters this morning. Kate Libby, a spokesperson for Dragonfire Cyber, told reporters that it looks like the web site attackers may be selling access to the affected treatment plants, treatment plants like the one in Delano. “We have seen ads on the DarkWeb by an individual known as FlusherSale selling access to small to medium size wastewater treatment plants,” she told reporters at the CI-SOC press conference; “While most of these sales are for ransomware attackers, we did find conversations between FlusherSale and Anti-Arr.” Libby went on to explain that Anti-Arr was seeking a discount on the use of access to the Delano WWTP system because they were not going to use the access for ransomware. They argued that FlusherSale could still sell the Delano information to someone else in a couple of days. CI-SOC confirms that they did stop a ransomware attack on the Delano WWTP systems during their investigation of last week’s attack. A person connected with the Delano Police Department who was not authorized to talk with the press, told me that they are investigating rumors that a political opponent of Mayor Carter was behind the attack last week. I was told that it was not either of the two candidates running also running for Mayor, but someone with a long-time grudge against Carter. CI-SOC and the FBI have issued a joint cyber alert on the drive-by attack on the WWTP Support web site and are urging all waste water treatment operators that may have had personnel visiting that site to have cybersecurity experts check their control systems for the indicators of compromise that the researchers at Dragonfire Cyber have identified. “We have confirmed that at least two recent ransomware attacks on treatment facilities are associated with the WWTP Support website compromise,” Johnathan Quest, FBI spokesperson told reporters via video link this morning. Kate Libby noted at this morning’s new CI-SOC news conference that they had been able to stop the ransomware attack on the Delano system. “Preventing a ransomware attack is much cheaper than responding to one,” Libby reminded the audience. CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More